FIDO Metadata Clarifications

[Thamindu Dilshan Jayawickrama]

Hi All,

We've been trying to implement the FIDO MDS3 support on our identity server product to pass FIDO2 compliance tests. In the process, I have ended up in the following questions/ doubts regarding the procedure and would like to obtain some clarification.

1. When running metadata tests, we must submit our server url to https://mds3.certinfra.fidoalliance.org/ and add the provided MDS endpoints to the server. As for my observations, these MDS endpoints are unique to the server url. We can configure these urls permanently in the server and fetch them once every month assuming data at these endpoints will be updated. Is that correct?
2. Should we provide all of these MDS endpoints (I have noticed a total of 5 endpoints) to the server when initializing certificate path validations (I'm using the java webauthn4j library)? The reason to ask this question was, I have noticed runtime exceptions due to invalid metadata BLOB signatures corresponding to some endpoints. Also, the MDS3 spec mentioned about having one metadata JSON file. What is the purpose of these multiple service endpoints?
3. My another observation is that, the mds endpoints obtained by submitting the server url to https://mds3.certinfra.fidoalliance.org/ contains some test metadata which only relates to the conformance testing. Does that mean there's no need to keep these mds endpoints in the server permanently and can obtain some fixed endpoints with the actual data after obtaining the FIDO certificate?
4. Also, we’ve been using an adapter to perform communications between the tool and the server. In that case, what is the server url we should publish to https://mds3.certinfra.fidoalliance.org/? We are currently using the adapter url as the server url in the conformance tool.
   

Your help is highly appreciated.

Thanks in advance.

Regards,

Thamindu

[Ricardo Reis]

I have the same issue, any support? Thanks

[Thamindu Dilshan Jayawickrama]

Below are my findings.

The server url "https://mds3.certinfra.fidoalliance.org/" is only for the conformance testing purposes and there's a different endpoint for the production use ("https://mds3.fidoalliance.org/"). This endpoint can be fetched once a month and cache the content as it doesn't change frequently. Read more on this at: https://fidoalliance.org/metadata/

As the endpoints obtained from "https://mds3.certinfra.fidoalliance.org/" are testing endpoints, runtime exceptions maybe expected and those might be added as a compliance testing step. I cannot confirm on that.

If you're using an adapter to perform communication between the tool and the server, the adapter url should be published to "https://mds3.certinfra.fidoalliance.org/" as the compliance tool directly communicated with the adapter.

Thanks,

Thamindu

[Ricardo Reis]

Thanks Thamindu.